<</regurgitate on>
OK
http://www.interhack.net/pubs/fwfaq/
http://webopedia.internet.com/TERM/b/bastion_host.html
Marcus J. Ranum, "Thinking About Firewalls", SANS 1993. An updated version,
"Thinking About Firewalls V2.0: Beyond Perimeter Security", is available at
http://pubweb.nfr.net/~mjr/pubs/think/index.htm.
Elizabeth D. Zwicky, Simon Cooper, and D. Brent Chapman "Building Internet
Firewalls, 2nd Edition", O'Reilly & Associates, June 2000.
"Marcus Ranum is generally credited with applying the term bastion to hosts
that are exposed to attack, and its common use in the firewall community.
In the paper he states:
'Bastions are the highly fortified parts of a medieval castle; points that
overlook critical areas of defense, usually having stronger walls, room for
extra troops, and the occasional useful tub of boiling hot oil for
discouraging attackers. A bastion host is a system identified by the
firewall administrator as a critical strong point in the network's
security. Generally, bastion hosts will have some degree of extra attention
paid to their security, may undergo regular audits, and may have modified
software.
Bastion hosts are not general purpose computing resources. They differ in
both their purpose and their specific configuration. A victim host may
permit network logins so users can run untrusted services, while
a firewall gateway may only permit logins at the system console. The
process of configuring or constructing a bastion host is often referred to
as hardening.
The effectiveness of a specific bastion host configuration can usually be
judged by answering the following questions:
1.How does the bastion host protect itself from attack?
2.How does the bastion host protect the network behind it from attack?
Extreme caution should be exercised when installing new software on bastion
hosts. Very few software products have been designed and tested to run on
these exposed systems."
<<//regurgitate off>
At 02:56 PM 8/30/00 -0500, Noonan, Wesley wrote:
>Does anyone have any books, whitepapers, websites, etc. that define in some
>detail what a bastion host is? I think I understand what they are and
>why/where one should implement them, but want to make sure. As an example,
>would an external DNS server, either on a DMZ or exposed, used as a
>forwarder be considered a bastion host? TIA
>
>Wes Noonan, MCP+I/MCSE/MCT/CCNA/NNCSS
>Senior QA Rep
>(713) 918-2412
>BMC Software, Inc.
>[EMAIL PROTECTED]
>http://www.bmc.com
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
